Understanding SELinux

Tom London selinux at gmail.com
Sun Dec 5 17:57:19 UTC 2004 

On Sun, 05 Dec 2004 11:38:04 +0100, Giuseppe Greco
<giuseppe.greco at agamura.com> wrote:
> Thanks Tom,
> 
> the situation is now much better... I'm able to start squid,
> but I still get the following two error messages:
> 
> Starting squid: audit(1102241826.255.0): avc: denied { getattr } for
>   pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2
>   scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t
>   tclass=dir
> 
> audit(1102241826.255.0): avc: denied { getattr } for
>   pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2
>   scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t
>   tclass=dir
> 
> It looks like there are problems with directories /boot and /tmp...
> 
> What's strange is that I get these error messages on a machine where
> I just upgraded from FC1 to FC3... I've also another machine on
> which I installed FC3 from scratch and here I've no problems at all.
> 

I'm running strict/enforcing with latest Rawhide packages
(selinux-policy-strict-1.19.10-4)

If I change to permissive mode (via 'setenforce 0')
and start squid (via '/etc/init.d/squid start') I get the following:

Dec  5 09:47:34 fedora kernel: audit(1102268854.527:0): avc:  denied 
{ write } for  pid=3455 exe=/bin/bash name=squid dev=hda2 ino=4457453
scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t
tclass=dir
Dec  5 09:47:34 fedora kernel: audit(1102268854.527:0): avc:  denied 
{ add_name } for  pid=3455 exe=/bin/bash name=squid.out
scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t
tclass=dir
Dec  5 09:47:34 fedora kernel: audit(1102268854.528:0): avc:  denied 
{ create } for  pid=3455 exe=/bin/bash name=squid.out
scontext=root:system_r:initrc_t tcontext=root:object_r:squid_log_t
tclass=file
Dec  5 09:47:35 fedora squid[3458]: Squid Parent: child process 3460 started

With squid successfully running.

This indicates that the policy may need some additional
rules, like:
allow initrc_t squid_log_t:dir { add_name write };
allow initrc_t squid_log_t:file create;

But I don't get the messages you get.
I'm running squid-2.5.STABLE7-1.  This the same as you?

tom

-- 
Tom London

More information about the fedora-selinux-list mailing list